site security handbook.txt

黑客培训教程

      One security decision that needs to be made very carefully is who
      will have access to system administrator privileges and passwords
      for your services.  Obviously, the system administrators will need
      access, but inevitably other users will request special
      privileges.  The policy should address this issue.  Restricting
      privileges is one way to deal with threats from local users.  The
      challenge is to balance restricting access to these to protect
      security with giving people who need these privileges access so
      that they can perform their tasks.  One approach that can be taken
      is to grant only enough privilege to accomplish the necessary
      tasks.



Site Security Policy Handbook Working Group                    [Page 16]

RFC 1244                 Site Security Handbook                July 1991


      Additionally, people holding special privileges should be
      accountable to some authority and this should also be identified
      within the site's security policy.  If the people you grant
      privileges to are not accountable, you run the risk of losing
      control of your system and will have difficulty managing a
      compromise in security.

   2.3.5  What Are The Users' Rights and Responsibilities?

      The policy should incorporate a statement on the users' rights and
      responsibilities concerning the use of the site's computer systems
      and services.  It should be clearly stated that users are
      responsible for understanding and respecting the security rules of
      the systems they are using.  The following is a list of topics
      that you may wish to cover in this area of the policy:

         o What guidelines you have regarding resource consumption
           (whether users are restricted, and if so, what the
           restrictions are).
         o What might constitute abuse in terms of system performance.
         o Whether users are permitted to share accounts or let others
           use their accounts.
         o How "secret" users should keep their passwords.
         o How often users should change their passwords and any other
           password restrictions or requirements.
         o Whether you provide backups or expect the users to create
           their own.
         o Disclosure of information that may be proprietary.
         o Statement on Electronic Mail Privacy (Electronic
           Communications Privacy Act).
         o Your policy concerning controversial mail or postings to
           mailing lists or discussion groups (obscenity, harassment,
           etc.).
         o Policy on electronic communications: mail forging, etc.

      The Electronic Mail Association sponsored a white paper on the
      privacy of electronic mail in companies [4].  Their basic
      recommendation is that every site should have a policy on the
      protection of employee privacy.  They also recommend that
      organizations establish privacy policies that deal with all media,
      rather than singling out electronic mail.

      They suggest five criteria for evaluating any policy:

         1. Does the policy comply with law and with duties to
            third parties?

         2. Does the policy unnecessarily compromise the interest of



Site Security Policy Handbook Working Group                    [Page 17]

RFC 1244                 Site Security Handbook                July 1991


            the employee, the employer or third parties?

         3. Is the policy workable as a practical matter and likely to
            be enforced?

         4. Does the policy deal appropriately with all different
            forms of communications and record keeping with the office?

         5. Has the policy been announced in advance and agreed to by
            all concerned?

   2.3.6  What Are The Rights and Responsibilities of System
          Administrators Versus Rights of Users

      There is a tradeoff between a user's right to absolute privacy and
      the need of system administrators to gather sufficient information
      to diagnose problems.  There is also a distinction between a
      system administrator's need to gather information to diagnose
      problems and investigating security violations.  The policy should
      specify to what degree system administrators can examine user
      files to diagnose problems or for other purposes, and what rights
      you grant to the users.  You may also wish to make a statement
      concerning system administrators' obligation to maintaining the
      privacy of information viewed under these circumstances.  A few
      questions that should be answered are:

         o Can an administrator monitor or read a user's files
           for any reason?
         o What are the liabilities?
         o Do network administrators have the right to examine
           network or host traffic?

   2.3.7  What To Do With Sensitive Information

      Before granting users access to your services, you need to
      determine at what level you will provide for the security of data
      on your systems.  By determining this, you are determining the
      level of sensitivity of data that users should store on your
      systems.  You do not want users to store very sensitive
      information on a system that you are not going to secure very
      well.  You need to tell users who might store sensitive
      information what services, if any, are appropriate for the storage
      of sensitive information.  This part should include storing of
      data in different ways (disk, magnetic tape, file servers, etc.).
      Your policy in this area needs to be coordinated with the policy
      concerning the rights of system administrators versus users (see
      section 2.3.6).




Site Security Policy Handbook Working Group                    [Page 18]

RFC 1244                 Site Security Handbook                July 1991


2.4  What Happens When the Policy is Violated

   It is obvious that when any type of official policy is defined, be it
   related to computer security or not, it will eventually be broken.
   The violation may occur due to an individual's negligence, accidental
   mistake, having not been properly informed of the current policy, or
   not understanding the current policy.  It is equally possible that an
   individual (or group of individuals) may knowingly perform an act
   that is in direct violation of the defined policy.

   When a policy violation has been detected, the immediate course of
   action should be pre-defined to ensure prompt and proper enforcement.
   An investigation should be performed to determine how and why the
   violation occurred.  Then the appropriate corrective action should be
   executed.  The type and severity of action taken varies depending on
   the type of violation that occurred.

   2.4.1  Determining the Response to Policy Violations

      Violations to policy may be committed by a wide variety of users.
      Some may be local users and others may be from outside the local
      environment.  Sites may find it helpful to define what it
      considers "insiders" and "outsiders" based upon administrative,
      legal or political boundaries.  These boundaries imply what type
      of action must be taken to correct the offending party; from a
      written reprimand to pressing legal charges.  So, not only do you
      need to define actions based on the type of violation, you also
      need to have a clearly defined series of actions based on the kind
      of user violating your computer security policy.  This all seems
      rather complicated, but should be addressed long before it becomes
      necessary as the result of a violation.

      One point to remember about your policy is that proper education
      is your best defense.  For the outsiders who are using your
      computer legally, it is your responsibility to verify that these
      individuals are aware of the policies that you have set forth.
      Having this proof may assist you in the future if legal action
      becomes necessary.

      As for users who are using your computer illegally, the problem is
      basically the same.  What type of user violated the policy and how
      and why did they do it?  Depending on the results of your
      investigation, you may just prefer to "plug" the hole in your
      computer security and chalk it up to experience.  Or if a
      significant amount of loss was incurred, you may wish to take more
      drastic action.





Site Security Policy Handbook Working Group                    [Page 19]

RFC 1244                 Site Security Handbook                July 1991


   2.4.2  What to do When Local Users Violate the Policy of a Remote
          Site

      In the event that a local user violates the security policy of a
      remote site, the local site should have a clearly defined set of
      administrative actions to take concerning that local user.  The
      site should also be prepared to protect itself against possible
      actions by the remote site.  These situations involve legal issues
      which should be addressed when forming the security policy.

   2.4.3  Defining Contacts and Responsibilities to Outside
          Organizations

      The local security policy should include procedures for
      interaction with outside organizations.  These include law
      enforcement agencies, other sites, external response team
      organizations (e.g., the CERT, CIAC) and various press agencies.
      The procedure should state who is authorized to make such contact
      and how it should be handled.  Some questions to be answered
      include:

         o Who may talk to the press?
         o When do you contact law enforcement and investigative agencies?
         o If a connection is made from a remote site, is the
           system manager authorized to contact that site?
         o Can data be released?  What kind?

      Detailed contact information should be readily available along
      with clearly defined procedures to follow.

   2.4.4  What are the Responsibilities to our Neighbors and Other
          Internet Sites?

      The Security Policy Working Group within the IETF is working on a
      document entitled, "Policy Guidelines for the Secure Operation of
      the Internet" [23].  It addresses the issue that the Internet is a
      cooperative venture and that sites are expected to provide mutual
      security assistance.  This should be addressed when developing a
      site's policy.  The major issue to be determined is how much
      information should be released.  This will vary from site to site
      according to the type of site (e.g., military, education,
      commercial) as well as the type of security violation that
      occurred.

   2.4.5  Issues for Incident Handling Procedures

      Along with statements of policy, the document being prepared
      should include procedures for incident handling.  This is covered



Site Security Policy Handbook Working Group                    [Page 20]

RFC 1244                 Site Security Handbook                July 1991


      in detail in the next chapter.  There should be procedures
      available that cover all facets of policy violation.

2.5  Locking In or Out

   Whenever a site suffers an incident which may compromise computer
   security, the strategies for reacting may be influenced by two
   opposing pressures.

   If management fears that the site is sufficiently vulnerable, it may
   choose a "Protect and Proceed" strategy.  This approach will have as
   its primary goal the protection and preservation of the site
   facilities and to provide for normalcy for its users as quickly as
   possible.  Attempts will be made to actively interfere with the
   intruder's processes, prevent further access and begin immediate
   damage assessment and recovery.  This process may involve shutting
   down the facilities, closing off access to the network, or other
   drastic measures.  The drawback is that unless the intruder is
   identified directly, they may come back into the site via a different
   path, or may attack another site.

   The alternate approach, "Pursue and Prosecute", adopts the opposite
   philosophy and goals.  The primary goal is to allow intruders to
   continue their activities at the site until the site can identify the
   responsible persons.  This approach is endorsed by law enforcement
   agencies and prosecutors.  The drawback is that the agencies cannot
   exempt a site from possible user lawsuits if damage is done to their
   systems and data.

   Prosecution is not the only outcome possible if the intruder is
   identified.  If the culprit is an employee or a student, the
   organization may choose to take disciplinary actions.  The computer
   security policy needs to spell out the choices and how they will be
   selected if an intruder is caught.

   Careful consideration must be made by site management regarding their
   approach to this issue before the problem occurs.  The strategy
   adopted might depend upon each circumstance.  Or there may be a
   global policy which mandates one approach in all circumstances.  The
   pros and cons must be examined thoroughly and the users of the
   facilities must be made aware of the policy so that they understand
   their vulnerabilities no matter which approach is taken.

   The following are checklists to help a site determine which strategy
   to adopt: "Protect and Proceed" or "Pursue and Prosecute".